Get the token from the access_token query parameter

ory · Apr 12, 2017 · 7aa20f1 · 7aa20f1
1 parent 5e1c890
commit 7aa20f1
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 10 deletions.
diff --git a/introspect.go b/introspect.go
@@ -13,10 +13,20 @@ type TokenIntrospector interface {
 }
 
 func AccessTokenFromRequest(req *http.Request) string {
+	// Acording to https://tools.ietf.org/html/rfc6750 you can pass tokens through:
+	// - Form-Encoded Body Parameter. Recomended, more likely to appear. e.g.: Authorization: Bearer mytoken123
+	// - URI Query Parameter e.g. access_token=mytoken123
+
 	auth := req.Header.Get("Authorization")
 	split := strings.SplitN(auth, " ", 2)
 	if len(split) != 2 || !strings.EqualFold(split[0], "bearer") {
-		return ""
+		// Nothing in Authorization header, try access_token
+		// Empty string returned if there's no such parameter
+		err := req.ParseForm()
+		if err != nil {
+			return ""
+		}
+		return req.Form.Get("access_token")
 	}
 
 	return split[1]

diff --git a/introspect_test.go b/introspect_test.go
@@ -1,8 +1,7 @@
 package fosite_test
 
 import (
-	"net/http"
-	"net/url"
+	"net/http/httptest"
 	"testing"
 
 	"github.com/golang/mock/gomock"
@@ -15,18 +14,38 @@ import (
 	"golang.org/x/net/context"
 )
 
+func TestAccessTokenFromRequestNoToken(t *testing.T) {
+	req := httptest.NewRequest("GET", "http://example.com/test", nil)
+
+	assert.Equal(t, AccessTokenFromRequest(req), "", "No token should produce an empty string")
+}
+
+func TestAccessTokenFromRequestHeader(t *testing.T) {
+	token := "TokenFromHeader"
+
+	req := httptest.NewRequest("GET", "http://example.com/test", nil)
+	req.Header.Add("Authorization", "Bearer "+token)
+
+	assert.Equal(t, AccessTokenFromRequest(req), token, "Token should be obtainable from header")
+}
+
+func TestAccessTokenFromRequestQuery(t *testing.T) {
+	token := "TokenFromQueryParam"
+
+	req := httptest.NewRequest("GET", "http://example.com/test?access_token="+token, nil)
+
+	assert.Equal(t, AccessTokenFromRequest(req), token, "Token should be obtainable from access_token query parameter")
+}
+
 func TestIntrospect(t *testing.T) {
 	ctrl := gomock.NewController(t)
 	validator := internal.NewMockTokenIntrospector(ctrl)
 	defer ctrl.Finish()
 
 	f := compose.ComposeAllEnabled(new(compose.Config), storage.NewMemoryStore(), []byte{}, nil).(*Fosite)
-	httpreq := &http.Request{
-		Header: http.Header{
-			"Authorization": []string{"bearer some-token"},
-		},
-		Form: url.Values{},
-	}
+
+	req := httptest.NewRequest("GET", "http://example.com/test", nil)
+	req.Header.Add("Authorization", "bearer some-token")
 
 	for k, c := range []struct {
 		description string
@@ -77,7 +96,7 @@ func TestIntrospect(t *testing.T) {
 		},
 	} {
 		c.setup()
-		_, err := f.IntrospectToken(nil, AccessTokenFromRequest(httpreq), AccessToken, nil, c.scopes...)
+		_, err := f.IntrospectToken(nil, AccessTokenFromRequest(req), AccessToken, nil, c.scopes...)
 		assert.True(t, errors.Cause(err) == c.expectErr, "(%d) %s\n%s\n%s", k, c.description, err, c.expectErr)
 		t.Logf("Passed test case %d", k)
 	}